France's data protection agency, the CNIL, has slapped Google and Amazon with fines for dropping tracking cookies without consent.
Google has been hit with a total of €100 million ($120 million) for dropping cookies on Google.fr and Amazon €35 million (~$42 million) for doing so on the Amazon .fr domain under the penalty notices issued today.
The regulator carried out investigations of the websites over the past year and found tracking cookies were automatically dropped when a user visited the domains in breach of the country's Data Protection Act.
In Google's case the CNIL has found three consent violations related to dropping non-essential cookies.
"As this type of cookies cannot be deposited without the user having expressed his consent, the restricted committee considered that the companies had not complied with the requirement provided for by article 82 of the Data Protection Act and the prior collection of the consent before the deposit of non-essential cookies," it writes in the penalty notice [which we've translated from French].
Amazon was found to have made two violations, per the CNIL penalty notice.
CNIL also found that the information about the cookies provided to site visitors was inadequate -- noting that a banner displayed by Google did not provide specific information about the tracking cookies the Google.fr site had already dropped.
Under local French (and European) law, site users should have been clearly informed before the cookies were dropped and asked for their consent.
The law on tracking cookie consent has been clear in Europe for years. But in October 2019 a CJEU ruling further clarified that consent must be obtained prior to storing or accessing non-essential cookies. As we reported at the time, sites that failed to ask for consent to track were risking a big fine under EU privacy laws.
Google and Amazon are now finding that out to their cost, it seems.
We've reached out to Amazon and Google for comment on the CNIL's action.
Update: Google sent this statement, attributed to a spokesperson:
People who use Google expect us to respect their privacy, whether they have a Google account or not. We stand by our record of providing upfront information and clear controls, strong internal data governance, secure infrastructure, and above all, helpful products. Today's decision under French ePrivacy laws overlooks these efforts and doesn’t account for the fact that French rules and regulatory guidance are uncertain and constantly evolving. We will continue to engage with the CNIL as we make ongoing improvements to better understand its concerns.
Update 2: Amazon has also now sent a statement:
We disagree with the CNIL’s decision. Protecting the privacy of our customers has always been a top priority for Amazon. We continuously update our privacy practices to ensure that we meet the evolving needs and expectations of customers and regulators and fully comply with all applicable laws in every country in which we operate.
Amazon added that it has updated information and choices offered on its cookie banners on its EU, U.K. and Turkish stores, in the wake of the CNIL's investigation -- pointing to its cookie preferences settings page where it said users can update their consent to cookies at any time.
In Google's case the CNIL also found that when a user selected to deactivate personalized advertising -- via an option that Google's cookie notice presented them with -- the mechanism only partially worked, as one advertising cookie remained stored on their machine and continued to process data in clear violation of the consent law.
The CNIL's penalty for Google breaks down into a fine of €60 million for Google LLC and €40 million for Google Ireland Ltd.
It says the size of the fines is justified because of the seriousness of the triple breach of article 82 of the Data Protection Act.
Other factors involved in determining the size of the fine included the reach of Google's search engine in France and the fact that its corporate practices affect almost 50 million people, as well as the sizeable profits it derives from advertising, which are linked to data generated by its tracking cookies.
Per the CNIL's investigation, Google stopped automatically dropping the ad cookies on the Google.fr domain after an update in September 2020. However it said a new cookie notice that's presenting to arriving users still does not provide adequate information about what the cookies are used for nor inform users they can refuse these non-essential cookies.
Because of this the CNIL has also hit Google with an injunction -- giving it three months to correct the cookie notices so they provide the required information to users or Google is risking further fines of €100,000 per day until the violation stops.
The regulator's investigation of Google.fr took place in March 2020, while its checks on Amazon.fr took place between mid December 2019 and mid May 2020.
Amazon also updated its local site in September 2020 -- to stop automatically dropping the tracking cookies.
However the CNIL is similarly unhappy with the information it provides to users, finding it does not clearly explain the tracking cookies nor make it plain users can refuse this "personalized" advertising, so the e-commerce giant has also been issued with an injunction to make good on the consent notices within three months or face further fines of €100,000 per day.
The top-line penalties are some of the largest tech giants have faced in Europe to date related to the bloc's privacy rules. Albeit, the size of the fines still pales in comparison the billions the tech giants rake in globally each year.
The CNIL previously fined Google $57 million, back in 2019 -- also for failing transparency requirements. Though that case was related to complaints filed under the EU's General Data Protection Regulation (GDPR).
In this instance (for both Google and Amazon) the CNIL points out that cookie consent falls under the EU's ePrivacy Directive, which means the GDPR's one-stop-shop mechanism does not kick in. Which means the French watchdog has legal competence to investigate, rather than needing to refer concerns to a lead EU DPA where each of the companies have their regional legal base.
In Google's case that would be Ireland (while Amazon has its European legal base in Luxembourg).
It's worth noting that Ireland's DPC still hasn't issued a single GDPR decision in any of the scores of open cases related to big tech (including into various aspects of Google's business), more than 2.5 years since the GDPR came into application.
Meanwhile, the speed of French investigations and decisions continue to impress.
So today's cookie fines will likely provide more succour to critics of GDPR enforcement.
Although it's not a like-for-like comparison, as the CNIL's investigations in these cases have been limited in scope (i.e. national), bypassing the administrative complexity attached to GDPR cross-border cases -- which involves some joint working and ultimate agreement between multiple DPAs across the EU.
However, if an older EU directive is shown to be delivering speedy enforcement -- when the "shiny", newer regulation can't -- that does raise some major questions for regional lawmakers who have conceded in recent months that GDPR enforcement is a weakness of their flagship framework.
Forum shopping, via the GDPR's one-stop-shop mechanism, is looking like the biggest blocker to EU citizens being able to uphold their much trumpeted fundamental rights.
Returning to the cookie consent issue, the CNIL has made investigating cookie compliance a particular focus -- publishing updated guidance for using the tracking tech in October, when it said it would offer a grace period of up to six months to come into compliance.
However, the regulator warned it would continue to fully monitor wider compliance issues around cookies and could take action to protect the privacy of internet users if necessary.
Hence it's stepped in with penalties and injunctions for Google and Amazon now.
Ireland's DPC also published updated cookie guidance this year, back in April, saying too that it would give a grace period -- until October -- before it begun taking any enforcement action. But, so far, it hasn't made public any such action.
While its first ever GDPR decision in a cross-border case -- against Twitter -- is expected to land finally this month.